Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the product's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system.
If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing.
Finally, the usage of short circuit evaluation may decrease the maintainability of the code.
Portée | Impact | Probabilité |
---|---|---|
Confidentiality Integrity Availability | Varies by Context Note: Widely varied consequences are possible if an attacker is aware of an unexpected state in the product after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system. |
Nom | Organisation | Date | Date de publication | Version |
---|---|---|---|---|
CWE Content Team | MITRE | 1.4 |
Nom | Organisation | Date | Commentaire |
---|---|---|---|
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Likelihood_of_Exploit, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Common_Consequences, Description | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes | |
CWE Content Team | MITRE | updated Common_Consequences |